Having worked around financial crimes for a number of years, I noticed they seemed to be on the rise.
One reason for this is technology, which grows more rapidly than laws designed to protect us from it.
Although the blog is a resource to educate people on identity theft, it also strives to educate the common person on the rapidly growing problem of crimes enabled (made too easy) by technology and the Internet.

This second post is meant to focus on the privacy issues (controversies) that surround this product. While this technology has definite security and supply chain potential, the potential for abuse is also great.

I suppose the use of these tags is inevitable, however we need to be proactive in developing legislation (laws) designed to prevent their abuse. Legislation rarely keeps up with technology and from a historical perspective there has been substantial abuse of other technologies, such as adware/spyware and keyloggers; which have been used for illegal purposes and legally (because of a lack of legislation) to invade personal privacy.

Simson L. Garfinkel wrote an article about this in "The Nation." Here are some excerpts:

So why did the American Civil Liberties Union, the Electronic Frontier Foundation, The World Privacy Forum and a dozen other organizations ask for a voluntary moratorium on RFID technology in consumer goods? Because this use of RFID could enable an omnipresent police surveillance state, it could erode further what's left of consumer privacy and it could make identity theft even easier than it has already become.

RFID is such a potentially dangerous technology because RFID chips can be embedded into products and clothing and covertly read without our knowledge. A small tag embedded into the heel of a shoe or the inseam of a leather jacket for inventory control could be activated every time the customer entered or left the store where the item was bought; that tag could also be read by any other business or government agency that has installed a compatible reader. Unlike today's antitheft tags, every RFID chip has a unique serial number. This means that stores could track each customer's comings and goings. Those readers could also register the RFID tags that we're already carrying in our car keys and the "prox cards" that some office buildings use instead of keys.

Mr. Garfinkel's conclusion, which seems very sound, was:

Companies that are pushing RFID tags into our lives should adopt rules of conduct: There should be an absolute ban on hidden tags and covert readers. Tags should be "killed" when products are sold to consumers. And this technology should never be used to secretly unmask the identity of people who wish to remain anonymous.

In another study, uncovered by the Chicago Sun-Times, shelves in a Wal-Mart in Broken Arrow, Oklahoma, were equipped with readers to track the Max Factor Lipfinity lipstick containers stacked on them. Webcam images of the shelves wereviewed 750 miles (1200 km) away by Procter & Gamble researchers in Cincinnati, Ohio, who could tell when lipsticks were removed from the shelves and observe the shoppers in action.

In January 2004 a group of privacy advocates was invited to METRO Future Store in Germany, where an RFID pilot project was implemented. It was uncovered by accident that METRO "Payback" customer loyalty cards contained RFID tags with customer IDs, a fact that was disclosed neither to customers receiving the cards, nor to this group of privacy advocates. This happened despite assurances by METRO that no customer identification data was tracked and all RFID usage was clearly disclosed.

The controversy was furthered by the accidental exposure of a proposed Auto-ID consortiumpublic relationscampaign that was designed to "neutralize opposition" and get consumers to "resign themselves to the inevitability of it" whilst merely pretending to address their concerns.

The standard proposed by EPC global includes privacy related guidelinesfor the use of RFID-based EPC. These guidelines include the requirement to give consumers clear notice of the presence of EPC and to inform them of the choice that they have to discard, disable or remove EPC tags. These guidelines are non-binding, and only partly comply with the joint statement of 46 multinational consumer rights and privacy groups.

If readers are easily accessible, or not protected properly from theft, there is also the potential that identity thieves could scan personal information. Whether or not, this is feasible is a matter of great debate, but as with all technology, even if it isn't feasible now, how long will it take for someone to create a way to do it?

7 comments:

Spyware is not only a major nuisance but as you said in you post a threat to privacy. This is far more threatening to users and it should not be treated as harmless. Looking forward to your follow up article.

In my Networkworld Security Chief blog, I too ranted against the lack of security in RFID tags which are not only being installed on goods, but in people. Last October, the Federal government quietly approved RFID chip implants in humans which are being used experimentally for purposes of medical information and entertainment preferences. No encryption, and anyone with an RFID reader could gather the information off these chips they need to steal identities. The same would happen with our passport information - name and addresss and birthdate are enough information to become us. And what happens when they want to put even more info on said chips on passports, identity cards, and in human implants? Scary, scary, scary!

I truly hope others are investigating this RFID usage. I have started to research it myself and have done a blog on the information I have found, and I will continue to post on this subject in the future. I am glad to see others are taking the notice and helping to get the information out about these chips.

Millions of new credit cards and passports contain tiny two way radios called RFID chips. This makes it easy for theives to employ electronic pickpocketing and scan your credit card numbers and other info without touching you.

Our RFID blocking products sold here will help preventthis from happening to you.

About 100 million credit cards now have this contactless technology embedded into them. However, over the next 2-3 years, it is expected that credit card issuers will replace every single magnetic stripe credit and debit card with a new contactless smart cards. Why shouldn't they? These cards seem to make it all easier. So much easier that some folks are reading your credit cards before you even take them out of your wallet. For more Information Visit http://www.2012obama2012.com/Credit_Card_Protection.php